MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 19 File information Comments

SHA256 hash:	dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847
SHA3-384 hash:	3c990b6524ec9102ccc8d7cbdf0297980dc5cf958673b1ff5bebe1bb958fc866b4fb8c1c652dd4990abd156260c20669
SHA1 hash:	3246916a885cb1a8a57af6b04e4e9dff7bc81770
MD5 hash:	b8f007cdb7c35f470ec3fb71961a9ea7
humanhash:	december-green-quiet-bravo
File name:	file
Download:	download sample
File size:	306'176 bytes
First seen:	2025-11-03 01:07:04 UTC
Last seen:	2025-11-03 01:09:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	62520313066ce3db1e34fc34411feaf9
ssdeep	6144:dXgN2B2mMsjfhQPMUQjdW4CbWjK3AM3DWZtxVVwfwM6q+wIcKxBOUtKqu:dXNxuPMfZW4yW2zDWBVVwffFaPNu
TLSH	T18E54232BCEF25E73E732D27F005CEA815875DA81D7906E688CF6245EB407E7628D0687
TrID	63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12) 24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.ICL) Windows Icons Library (generic) (2059/9) 1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 UPX

Bitsight

url: http://178.16.55.189/files/7120586914/NS6iUMk.exe

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	306'176 bytes
File size (de-compressed) :	1'205'760 bytes
Format:	win64/pe
Unpacked file:	7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

Vendor Threat Intelligence

Malware family:

asyncrat

ID:

File name:

_dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847.exe

Verdict:

Malicious activity

Analysis date:

2025-11-03 01:08:04 UTC

Tags:

uac auto-sch auto-reg asyncrat amsi-bypass upx

Link:

https://app.any.run/tasks/839770cb-baac-4b00-a7a4-9b6fa99352b5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35041/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690800669942f1282ecb8e8d

Tags:

autorun shell virus sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Running batch commands

Creating a service

Connection attempt

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun for a service

Changing the Windows explorer settings to hide files extension

Disabling the operating system update service

Enabling autorun by creating a file

Adding an exclusion to Microsoft Defender

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-02T22:13:00Z UTC

Last seen:

2025-11-03T10:28:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Agent.sb HEUR:Trojan.PowerShell.Generic HEUR:Exploit.Win32.BypassUAC.b VHO:Exploit.Win32.Convagent.gen Trojan.Win64.Agentb.sb PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d9c9dab7-da41-4161-af16-d3d5a6bfb0f0

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/b8f007cdb7c35f470ec3fb71961a9ea7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847/

Verdict:

Malicious

Threat:

Family.ASYNCRAT

Link:

https://tip.neiki.dev/file/dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3tzb5qmgschfssvrq7lcmg6ibg57eg5tizs4bnmyvvmnvrawhbdq._file

Result

Malware family:

n/a

Score:

10/10

Tags:

defense_evasion execution persistence upx

Link:

https://tria.ge/reports/251103-bg1w9adp4y/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Launches sc.exe

Drops file in System32 directory

UPX packed file

Adds Run key to start application

Indicator Removal: File Deletion

Disables service(s)

Command and Scripting Interpreter: PowerShell

Contains code to disable Windows Defender

Modifies visibility of file extensions in Explorer

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e6420a9d-b491-4924-88c4-fde7e906ee88

Unpacked files

SH256 hash:

dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847

MD5 hash:

b8f007cdb7c35f470ec3fb71961a9ea7

SHA1 hash:

3246916a885cb1a8a57af6b04e4e9dff7bc81770

Link:

https://www.unpac.me/results/0afa1dae-898e-4426-9de9-fd78dd8f48fc/

SH256 hash:

7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993

MD5 hash:

8985cd9f9757d62feacf042c3b9eecda

SHA1 hash:

2bc60a524f84940ea8a413a68617c33aed1722c2

Detections:

INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer

INDICATOR_SUSPICIOUS_DisableWinDefender

INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM

Link:

https://www.unpac.me/results/0afa1dae-898e-4426-9de9-fd78dd8f48fc/

Parent samples :

7120ab5a4aab112d643c3515fc922a254c0627e62a16fb336aa2d8f367222993
dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dcf21ec18690/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dcf21ec186908e594ab187d6261bc809bbf21bb34665c0b598ad58dac4163847

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CMD_Shutdown Create hunting rule
Author:	adm1n_usa32

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	dgaaga Create hunting rule
Author:	Harshit
Description:	Detects suspicious PowerShell or registry activity

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing artifacts associated with disabling Widnows Defender

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer Create hunting rule
Author:	ditekSHen
Description:	detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)